Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?




Hierarchy Level


Verify the IPsec datapath before the secure tunnel (st0) interface is activated and route(s) associated with the interface are installed in the Junos OS forwarding table. This configuration is useful in network topologies where there is a transit firewall located between the VPN tunnel endpoints, and where IPsec data traffic that uses active routes for an established VPN tunnel on the st0 interface might be blocked by the transit firewall.

When this option is configured, the source interface and destination IP addresses that can be configured for VPN monitor operation are not used for IPsec datapath verification. The source for the ICMP requests in the IPsec datapath verification is the local tunnel endpoint.

When IPsec datapath verification is configured, the following actions occur:

  1. Upon the establishment of the VPN tunnel, an ICMP request is sent to the peer tunnel endpoint to verify the IPsec datapath.

    The peer tunnel endpoint must be reachable by VPN monitor ICMP requests and must be able to respond to the ICMP request. While the datapath verification is in progress, “V” is displayed in the VPN Monitoring field in the show security ipsec security-association detail command output.

  2. The st0 interface is activated only when a response is received from the peer.

    The show interface st0.x command output shows the st0 interface status during and after the datapath verification: Link-Layer-Down before the verification finishes and Up after the verification finishes successfully.

  3. If no ICMP response is received from the peer, another ICMP request is sent at the configured VPN monitor interval (the default is 10 seconds) until the VPN monitor threshold (the default is 10 times) is reached.

    If the verification does not succeed, the KMD_VPN_DOWN_ALARM_USER system log entry indicates the reason as a VPN monitoring verify-path error. The error is logged under tunnel events in the show security ipsec security-association detail command output. The show security ipsec tunnel-events-statistics command displays the number of times the error occurred.

    VPN monitor interval and threshold values are configured with vpn-monitor-options at the [edit security ipsec] hierarchy level.

  4. If no ICMP response is received from the peer after the VPN monitor threshold is reached, the established VPN tunnel is brought down and the VPN tunnel is renegotiated.


destination-ip ip-address

Original, untranslated IP address of the peer tunnel endpoint that is behind a NAT device. This IP address must not be the NAT translated IP address. This option is required if the peer tunnel endpoint is behind a NAT device. The verify-path ICMP request is sent to this IP address so that the peer can generate an ICMP response.

packet-size bytes

(Optional) The size of the packet that is used to verify an IPsec datapath before the st0 interface is brought up.

The packet size must be lower than the path maximum transmission unit (PMTU) minus tunnel overhead. The packet used for IPsec datapath verification must not be fragmented.

  • Range: 64 to 1350 bytes

  • Default: 64 bytes

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 15.1X49-D70.

packet-size option added in Junos OS Release 15.1X49-D120.

Support for verify-path option with IPsec VPN running IKED process is introduced in Junos OS Release 23.4R1.